Privacy Policy

1. Introduction

Houston Roleplay ("we", "us", or "our") operates the website at hstnrp.xyz and associated services. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data. We are committed to collecting only what is strictly necessary to operate the Services.

2. Data We Collect

Data Type	Source	Purpose	Retention
Discord User ID, username, avatar, roles	Discord OAuth 2.0	Authentication, staff access control, role verification	Session cookie — 24 hours. Role data refreshed on login.
Roblox User ID and username	Roblox OAuth 2.0 (linked voluntarily)	Account linking for ERLC verification	Until manually unlinked by the user
Department application content	Application form submission	Staff review and department onboarding	Indefinitely for accepted apps; 90 days for denied/withdrawn
Report submissions	Report form submission	Staff moderation and record-keeping	Indefinitely while the report is open; archived on close
Mod log entries	Staff actions	Moderation accountability and audit trail	Indefinitely
IP address	Cloudflare (CDN/proxy)	DDoS mitigation, rate limiting	Processed by Cloudflare per their privacy policy; not stored by us

We do not collect or store passwords, payment information, or any sensitive personal data beyond what is listed above.

3. How We Use Your Data

• Authentication: Your Discord session token is stored in an HttpOnly cookie to keep you logged in for up to 24 hours.
• Access Control: Discord roles are checked to determine staff permissions on the Staff Panel.
• Account Linking: If you choose to link your Roblox account, your Roblox User ID is stored alongside your Discord User ID in Cloudflare KV to enable in-game verification.
• Applications & Reports: Submitted form data is stored in our MongoDB database and is accessible only to authenticated staff members.
• Announcements: When a staff member posts an announcement, it is sent to our Discord server via webhook. We do not store the webhook URL in any user-accessible location.

4. Data Sharing

We do not sell, rent, or trade your personal data. Data may be shared with the following third-party processors solely to operate the Services:

• Cloudflare — CDN, DDoS protection, Cloudflare Pages hosting, Cloudflare Workers, and Cloudflare KV storage. Cloudflare Privacy Policy
• MongoDB Atlas — Cloud database for applications, reports, mod logs, and announcements. MongoDB Privacy Policy
• Discord — OAuth 2.0 authentication and webhook delivery. Discord Privacy Policy
• Roblox — OAuth 2.0 account linking (only if you choose to link). Roblox Privacy Policy

5. Cookies and Session Storage

We use a single HttpOnly, Secure, SameSite=Lax cookie named hr_session to maintain your login session. This cookie:

• Is set only when you authenticate with Discord
• Expires after 24 hours
• Contains a signed JWT — no plaintext credentials are stored
• Cannot be accessed by JavaScript (HttpOnly)

We do not use advertising cookies, tracking pixels, or any third-party analytics scripts.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your data. Note that mod log entries and closed reports may be retained for legitimate moderation purposes.
• Roblox Unlink: You can unlink your Roblox account at any time from the main site, which immediately removes your Roblox User ID from our systems.
• Portability: Request your submitted application or report data in a machine-readable format.

To exercise any of these rights, contact us through our Discord server.

7. Data Security

We implement the following security measures to protect your data:

• All data in transit is encrypted via HTTPS (TLS 1.2+) enforced by Cloudflare.
• Session JWTs are signed using HMAC-SHA256 and validated server-side on every request.
• API secrets (Discord client secret, MongoDB credentials, ERLC server key) are stored as encrypted environment secrets in Cloudflare Workers — never in source code.
• MongoDB Atlas access is restricted by IP allowlist and scoped credentials.
• Staff Panel endpoints verify role authorization on every request.

8. Children's Privacy

The Services are not directed to children under 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly. Contact us via Discord if you believe this has occurred.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, the "Last updated" date at the top will change. Material changes will be announced in the Discord server. Continued use of the Services after changes are posted constitutes your acceptance of the revised Policy.

10. Contact

For privacy-related requests or questions, please contact us through our Discord server.